CH-8-10 Subnets and VLANs – Network+ Guide to Networks : Chapter Notes

This Document Contains Chapters 8 to 10 Chapter 8 Subnets and VLANs At a Glance Instructor’s Manual Table of Contents • Overview • Objectives • Teaching Tips • Quick Quizzes • Class Discussion Topics • Additional Projects • Additional Resources • Key Terms Lecture Notes Overview Network segmentation takes the divide-and-conquer approach to network management. When done well, it increases both performance and security on a network. A network can be segmented physically by creating multiple LANs or logically through the use of VLANs (virtual LANs). Either way, the larger broadcast domain is divided into smaller segments, and the IP address space is subdivided as well. In this chapter, the student will learn about two important concepts that enable and support network segmentation: subnets and virtual LANs (or VLANs). Fundamentally, a subnet is a group of IP addresses, and a VLAN is a group of ports on a switch. Subnets and VLANs usually work together, but students learn about each of them separately first. Then students explore the important role that subnetting plays in network segmentation. And finally, students will look at how VLANs work and the unique flexibility they offer. Chapter Objectives After reading this chapter and completing the exercises, the student will be able to: • Explain the purposes of network segmentation • Calculate and implement subnets • Explain how VLANs work and how they’re used Teaching Tips Network Segmentation 1. Discuss the three reasons why a network administrator might separate traffic: a. enhance security b. improve performance c. simplify troubleshooting 2. Explain that networks are commonly segmented according to one of the following groupings: a. geographic locations b. departmental boundaries c. device types 3. Use Figure 8-1 to help students visualize the concept of network segmentation. Subnets 1. Use Figure 8-2 to demonstrate a single LAN with several switches and a router. Explain how segmenting the network would allow you to better manage network traffic. 2. Use Figure 8-3 to demonstrate how to segment the network from Figure 8-2 into three smaller networks (one on each floor). Point out that subnetting will allow you to divide your pool of IP addresses into three groups, one for each floor of the building. 3. Explain that using well-chosen subnets provide the following benefits: a. Network documentation is easier to manage b. Problems are easier to locate and resolve c. Routers can more easily manage IP address spaces that don’t overlap d. Routing is more efficient on larger networks when IP address spaces are mathematically related at a binary level How Subnet Masks Work 1. Explain how a device uses a subnet mask to determine which subnet or network it belongs to. Use the example address 192.168.123.32 with subnet mask 255.255.255.0 as seen on page 440 of the text. 2. Review the Application Concepts: Binary Calculation section with your students. 3. Review the Legacy Networking: Classful Addressing in IPv4 section with your students. Point out that classful addressing is the simplest type of IPv4 addressing. CIDR (Classless Interdomain Routing) 1. Introduce and explain CIDR (Classless Interdomain Routing). Point out that this shorthand method is also known as CIDR notation or slash notation. 2. Define and describe a CIDR block. Teaching Tip Point out that CIDR is pronounced cider. IPv4 Subnet Calculations 1. Explain that subnetting alters the rules of classful IPv4 addressing and is sometimes called classless addressing. 2. Discuss how to create a subnet by borrowing bits that would represent host information in classful addressing and using those bits instead to represent network information. 3. Refer back to Figure 8-2 to discuss the number of bits used for network information: a. First 8 bits in a Class A address b. First 16 bits in a Class B address c. First 24 bits in a Class C address 4. Introduce the topic of calculating IPv4 subnets. a. Demonstrate the example of dividing at network (192.168.89.0) into subnets. Follow the steps on pages 445-446 in the text. b. Use Table 8-4 in your demonstration. 5. Work through the subnetting example starting on page 447 of the text in order to demonstrate performing calculations using formulas. a. Use Table 8-5 to show subnet information for eight possible subnets in a sample IPv4 Class C network. Teaching Tip Point out that several online sites and operating systems provide calculators that calculate AND operations. Direct students to the following website to see an example: http://www.subnet-calculator.com/ Subnet Mask Tables 1. Point out that each class reserves a different number of bits for network information so each class has a different number of host information bits that can be used for subnet information. 2. Use Tables 8-6 and 8-7 to show students possible Class B and Class C subnet masks. 3. been divided into six (eight possible) subnetworks. Teaching Tip Point out that several Web sites provide excellent tools to assist network administrators in calculating subnet information. Provide a classroom demonstration by navigating to http://www.subnetmask.info to illustrate one such site. Subnetting Questions on Exams 1. Point out that students are likely to see two types of subnet calculation problems on the CompTIA Network+ exam: a. Given certain network requirements, calculate possible subnets and host IP address ranges b. Given an IP address, determine its subnet’s network ID, broadcast address, and first/last host addresses 2. Have students work through the Applying Concepts: Calculate IPv4 Subnets and Host IP Address Ranges starting on page 452 and the Applying Concepts: Calculate an IPv4 Host’s Network Information on page 453. Implement Subnets 1. Use Figure 8-7 to discuss how to implement three of the possible eight subnets listed earlier in Table 8-5. 2. Use Figure 8-8 to demonstrate one router connecting several LANs. Review how subnet addresses have been assigned to each router interface. 3. Review the steps on page 456, which outline the process of a DHCP server providing DHCP assignments to multiple subnets. VLSM (Variable Length Subnet Mask) 1. Explain that VLSM allows subnets to be further subdivided into smaller and smaller groupings until each subnet is about the same size as the necessary IP address space. 2. Use the pizza analogy on page 457 to understand how VLSM works. 3. Use Table 8-8 and steps starting on page 458 of text to discuss configuring subnets using the 192.168.10.0/24 IP address space. Subnets in IPv6 1. Explain that IPv6 addresses are classless and IPv6 does not use subnet masks. 2. Explain that an IPv6 address divides into a 64-bit network prefix and 64-bit interface identifier. 3. Use Figure 8-12 to show the prefix and interface portions of an IPv6 address. 4. Remind students that they may see IPv6 addresses containing a slash, such as 2608:FE10:1:A::/64, but that the left-most 64 bits of any IPv6 address are the subnet portion of the address. 5. Explain how subnet prefixes may be assigned from a (RIR) regional Internet registry down to a local ISP level, using Figure 8-13. Quick Quiz 1 1. True or False: A network administrator might separate traffic in order to enhance security. Answer: True 2. CIDR notation takes the network ID or a host’s IP address and follows it with a symbol followed by the number of bits used for the network ID. Which symbol is used? a. b. ! c. / d. * Answer: C 3. A centrally managed DHCP server can provide DHCP assignments to multiple subnets with the help of which of the following? a. subnet mask b. variable length subnet mask c. DHCP relay agent d. CIDR notation Answer: C 4. True or False: Subnet masks are only used in IPv4 classful addressing. Answer: False 5. True or False: There are no IPv6 equivalents to IPv4’s Class A, Class B, or Class C networks. Answer: True VLANs (Virtual Local Area Networks) 1. Define a VLAN (virtual local area networks). Point out that the end goal of implementing a VLAN is so that routers can better manage network traffic. 2. Use Figure 10-25 to illustrate a simple VLAN design. 3. Describe the advantages and reasons for using a VLAN: a. Isolating connections with heavy or unpredictable traffic patterns b. Identifying groups of devices whose data should be given priority handling c. Containing groups of devices that rely on legacy protocols incompatible with the majority of the network’s traffic d. Separating groups of users who need special or limited security or network functions e. Configuring temporary networks f. Reducing the cost of networking equipment Managed Switches 1. Explain that managed switches can be configured via a command-line interface or a web-based management GUI and can sometimes be configured in groups. Use Figure 8-16 in your discussion. 2. Use Figure 8-17 to demonstrate how each port on a managed switch might be configured for a different VLAN. 3. Compare Figure 8-19 to Figure 8-18. Explain that in Figure 8-19, a managed switch is used to separate two VLANs. 4. Introduce students to 802.1Q, which is the IEEE standard that specifies how VLAN information appears in frames and how switches interpret that information. Use Figure 8-21 in your discussion. 5. Use Figure 8-22 to show three switches on a LAN with multiple VLANs. Switch Ports and Trunks 1. Explain that each port on a switch that supports VLANs is configured as one of two types of VLAN ports: a. access port b. trunk port 2. Define the term trunking. 3. Define the term trunk. 4. Explain the advantages of VLAN trunking. Use Figure 8-24 in your discussion. Teaching Tip Students may find more information on Understanding VLAN Trunk Protocol (VTP) from Cisco at: http://www.cisco.com/en/US/tech/tk389/tk689/technologies_tech_note09186a0080094c52.shtml VLANs and Subnets 1. Explain that in most situations, each VLAN is assigned its own subnet of IP addresses. Use Figure 8-25 to demonstrate. 2. Discuss the following rule: a. 1 broadcast domain = 1 VLAN = 1 subnet Types of VLANs 1. Discuss the following types of VLANs: a. default VLAN b. native VLAN c. data VLAN (or user VLAN) d. management VLAN e. voice VLAN View Configured VLANs 1. Use Figure 8-27 to illustrate the result of the show vlans command on a Cisco switch. Troubleshoot and Secure VLANs 1. Explain that configuration errors are a common cause of VLAN problems. Discuss some of the common errors such as: a. incorrect port mode b. incorrect VLAN assignment c. VLAN isolation 2. Discuss a VLAN hopping attack. Point out that there are two approaches to VLAN hopping: a. double tagging b. switch spoofing 3. Discuss the following mitigation efforts that will reduce the risk of VLAN hopping: a. Don’t use the default VLAN b. Change the native VLAN to an unused VLAN ID c. Disable auto-trunking on switches that don’t need to support traffic from multiple VLANs d. On switches that do carry traffic from multiple VLANs, configure all ports as access ports unless they are used as trunk ports e. Specify which VLANs are supported on each trunk instead of accepting a range of all VLANs f. Use physical security methods such as door locks to restrict access to network equipment Quick Quiz 2 1. True or False: A VLAN groups ports on a Layer 2 switch so that some of the local traffic on the switch is forced to go through a router. Answer: True 2. To identify the transmissions that belong to each VLAN, the switch adds which of the following to Ethernet frames? a. tag b. VLANID c. trunk d. port ID Answer: A 3. True or False: An unmanaged switch can be configured via a command-line interface or a web-based GUI. Answer: False 4. Which of the following types of VLANs receives all untagged frames from untagged ports? a. default VLAN b. native VLAN c. data VLAN d. management VLAN Answer: B 5. Which IEEE standard specifies how VLAN information appears in frames and how switches interpret that information? a. 802.16 b. 802.1Q c. 802.11ac d. 802.3 Answer: B Class Discussion Topics 1. Discuss the benefits of subnetting. 2. Discuss why an organization would want to develop an enterprise-wide approach to implementing VLANs. Additional Projects 1. Provide students an example of a large network, currently with one router, one network ID, and 250 computers spread across multiple floors of a building. Have students divide the network into smaller subnets and create a new IP addressing scheme based on the new network design. 2. Have students research Cisco’s VTP (VLAN Trunk Protocol). Students should write at least two reasons why VTP is the most popular protocol for exchanging VLAN information over trunks. Additional Resources 1. IP Subnet Calculator: http://www.subnet-calculator.com/ 2. Understanding IP Addresses, Subnets, and CIDR Notation for Networking: https://www.digitalocean.com/community/tutorials/understanding-ip-addresses-subnets-and-cidr-notation-for-networking 3. Segmenting a Network Using VLANs: https://support.industry.siemens.com/cs/document/109749844/segmenting-a-network-using-vlans?dti=0&lc=en-DE 4. Understanding VLAN Trunk Protocol: https://www.cisco.com/c/en/us/support/docs/lan-switching/vtp/10558-21.html 5. Basic VLAN Configuration: http://www.skullbox.net/vlan.php Key Terms For definitions of key terms, see the Glossary near the end of the book.  802.1Q  access port  ANDing  CIDR (Classless Interdomain Routing)  CIDR block  CIDR notation  classless addressing  default VLAN  DHCP relay agent  global routing prefix  ip helper-address  magic number  managed switch  native VLAN  native VLAN mismatch  site prefix  tag  trunk port  trunking  unmanaged switch  VLAN (virtual local area network or virtual LAN)  VLAN hopping  VLAN mismatch  VLSM (Variable Length Subnet Mask)  VTP (VLAN Trunk Protocol) Chapter 9 Network Risk Management At a Glance Instructor’s Manual Table of Contents • Overview • Objectives • Teaching Tips • Quick Quizzes • Class Discussion Topics • Additional Projects • Additional Resources • Key Terms Lecture Notes Overview In this chapter, students will learn about numerous threats to a network’s data and infrastructure, how to manage those vulnerabilities, and, perhaps most important, how to convey the importance of network security to the rest of the organization through an effective security policy. Later, we will continue the discussion of network security and go behind the scenes with ways to secure network access and activity. If students choose to specialize in network security, they should consider attaining CompTIA’s Security+ certification, which requires deeper knowledge of the topics covered in this text. Chapter Objectives After reading this chapter and completing the exercises, the student will be able to: • Identify people, technology, and malware security risks to a network • Describe tools used to evaluate the security of a network • Discuss physical security methods that prevent and detect intrusions • Configure devices on a network for increased security • Describe various security policies and explain how they can guide users’ activities on a network Teaching Tips Security Risks 1. Emphasize that different types of organizations have different levels of network security risk. a. Provide examples. b. 2. Explain why students first need to know how to recognize threats that their network could suffer. 3. Explain that a hacker is someone who masters the inner workings of computer hardware and software in an effort to better understand them. Discuss the following different types of hackers: a. white hat hacker b. black hat hacker c. gray hat hacker 4. Define a vulnerability as a weakness of a system, process, or architecture that could lead to compromised information or unauthorized access. 5. Point out that the act of taking advantage of a vulnerability is known as an exploit. 6. Explain that a zero-day exploit (or zero-day attack) is one that takes advantage of a software vulnerability that hasn’t yet or has only very recently become public. People Risks 1. Discuss the significance of looking at risks associated with people. Point out that by some estimates, human errors, ignorance, and omissions cause more than half of all security breaches sustained by networks. 2. Introduce students to social engineering, which involves manipulating social relationships to gain access. Discuss the following types of social engineering: a. phishing b. baiting c. quid pro quo d. tailgating 3. Use Figure 9-2 to discuss the typical social engineering attack cycle. 4. Point out that the most important defense against social engineering is employee training. 5. Discuss the potential risks associated with insider threats. 6. Discuss the measures that can be taken to reduce risks associated with people: a. Background checks b. Principle of least privilege c. Checks and balances on employee behavior d. DLP (data loss prevention) Technology Risks 1. Discuss the following risks inherent in network hardware and design: a. spoofing attack b. DoS (denial of service) attack c. DDoS (distributed DoS) attack d. DRDoS (distributed reflection DoS) attack e. amplified DRDoS attack f. PDoS (permanent DoS) attack g. friendly DoS attack h. DNS poisoning (DNS spoofing) i. ARP poisoning j. MitM (man-in-the-middle) attack k. rogue DHCP server l. deauth (deauthentication) attack m. insecure protocols and services n. back doors Malware Risks 1. Explain that malware refers to any program or piece of code designed to intrude upon or harm a system or its resources. Discuss the following: a. virus b. Trojan horse c. worm d. bot e. ransomware 2. Discuss the following characteristics that can make malware harder to detect and eliminate: a. encryption b. stealth c. polymorphism d. time dependence Security Assessment 1. Explain the difference between a posture assessment and a security audit. 2. Define and describe a security audit as a means of assessing security risks. 3. Explain who can or should perform the security audit noting any advantages where applicable. Scanning Tools 1. Explain that security experts often conduct simulated attacks on a network to determine its weaknesses. Discuss three types of attack simulations: a. vulnerability scanning b. penetration testing c. red team-blue team exercise 2. Discuss scanning tools that can be used to discover crucial information about a network: a. Nmap b. Nessus c. Metasploit Honeypots and Honeynets 1. Define and explain a honeypot, which is a decoy system that is purposely vulnerable and filled with what appears to be sensitive content. 2. Define and explain a honeynet, which are several honeypots connected together to form a network. 3. Explain why honeypots and honeynets must be isolated from the rest of the network. Quick Quiz 1 1. The act of taking advantage of a vulnerability is known as which of the following? a. hacker b. poisoning c. snooping d. exploit Answer: D 2. ____________________ occurs when a person attempts to glean access or authentication information by posing as someone who needs that information. Answer: Phishing 3. Which of the following describes an attack where a person redirects and captures secure transmissions as they occur? a. port scanning b. DoS c. phishing d. man-in-the-middle Answer: B 4. A program that disguises itself as something useful but actually harms your system is known as which of the following? a. backdoor b. Trojan horse c. worm d. bot Answer: B 5. In which type of vulnerability scan does the attacker begin on the perimeter of the network, looking for vulnerabilities that do not require trusted user privileges? Answer: unauthenticated Physical Security 1. Point out that an important element in network security is restricting physical access to its components. 2. Explain that students should consider all points of compromise in physical security. Emphasize that only trusted networking staff should have access to secure computer rooms, data rooms, network closets, storage rooms, entrance facilities, and locked equipment cabinets. Preventative Methods 1. Discuss how electronic locks can be combined with key locks. Describe the following door access controls. Use Figures 9-11 through 9-15 in your discussion: a. keypad or cipher lock b. key fob c. access badge d. proximity card e. biometrics 2. Describe electronic badge access. Discuss the difference between smart cards, proximity cards, passive cards, and active cards. Detection Methods 1. Explain that the key to protecting sensitive data and systems is to detect intrusions as quickly as possible and be prepared to respond appropriately. 2. Discuss the following methods of detecting physical intrusions and other kind of events: a. motion detection b. video surveillance c. tamper detection d. asset tracking 3. Review relevant questions that should be included in a security audit. The questions are found on page 524. Device Hardening 1. Explain that device hardening is taking steps to secure network devices from network- or software-supported attacks. Updates and Security Patches 1. Discuss how updates to applications, OSs, and device firmware address several issues, such as: a. fixing bugs b. adding new features c. closing security gaps 2. Explain that the process of properly managing and applying security patches includes the following: a. discovery b. standardization c. layered security d. vulnerability reporting e. implementation f. assessment g. risk mitigation Administrative Credentials 1. Explain that most devices that can be configured through a management interface come with a default access account, which can be extremely insecure. 2. Point out that when configuring a device, students should make it a habit to change the default administrative credentials before doing anything else. 3. Explain that authentication credentials should also be changed from the provider’s default settings. Use Figure 9-21 to demonstrate how this can be done. 4. Introduce students to a privileged user account and discuss the security precautions for this type of account: a. limited use b. limited location c. limited duration d. limited access e. limited privacy Services and Protocols 1. Explain that insecure services and protocols, such as Telnet and FTP, should be disabled in a system whenever possible. 2. Discuss the following guidelines to help protect devices from attack: a. Use secure protocols b. Disable any running services on a computer that are not needed c. Minimize the number of startup programs to include only those apps that you really need d. Close TCP/IP ports on the local firewall that are not used for ongoing activities e. Disable unneeded connection technologies f. Remove known networks if they are no longer needed g. Disable or uninstall applications that are no longer needed Hashing 1. Explain that hashing means to transform data through an algorithm that generally reduces the amount of space needed for the data. 2. Discuss SHA (Secure Hash Algorithm) and introduce students to the various versions of SHA: a. SHA-0 b. SHA-1 c. SHA-2 d. SHA-3 3. Point out that SHA-2 and SHA-3 are often implemented together for increased security. Anti-Malware Software 1. Introduce the need for malware protection by noting that protection against harmful code involves more than just installing anti-malware software. 2. Emphasize that malware protection requires choosing the most appropriate anti-malware program for an environment, monitoring the network, continually updating the anti-malware program, and educating users. 3. Introduce the concept of anti-malware software. a. Emphasize that while some malware is not immediately detectable by users, it may still leave evidence of itself. b. Point out that some evidence can be detected only via anti-malware software. 4. Review symptoms that might lead to the suspicion of a virus on a computer. 5. Explain why an implementation of anti-malware software depends on the computing environment’s needs. 6. Describe the different options regarding where to install anti-malware packages: a. host-based b. server-based c. network-based d. cloud-based Security Policies for Users 1. Explain how a thoroughly planned security policy can minimize the risk of break-ins. 2. Define a security policy. 3. Explain what is not included in a security policy. Security Policy Goals 1. Discuss the typical goals for security policies as listed on page 534 of the text. 2. Point out that after defining the goals of a security policy, a strategy to attain the goals of the policy should be devised. 3. Explain that in order to understand an organization’s risks, a posture assessment identifying vulnerabilities should be conducted Teaching Tip Students may learn more about security policies by reviewing material on The SANS Security Policy Project Web site at http://www.sans.org/resources/policies BYOD (Bring Your Own Device) 1. Define BYOD as the practice of allowing people to bring their smartphones, laptops, or other technology into a facility for the purpose of performing work or school responsibilities. 2. Discuss the variations of BYOD: a. BYOA (bring your own appliance) b. BYOC (bring your own cloud) c. BYOT (bring your own technology) d. CYOD (choose your own device) 3. Point out that part of a BYOD policy might include on-boarding and off-boarding procedures. Explain that these configurations can be handled automatically by MDM (mobile device management) software. AUP (Acceptable Use Policy) 1. Emphasize that the security policy should explain to users what they can and cannot do and how these measures protect the network’s security. Point out that this is known as the acceptable use policy (AUP). 2. Discuss some of the restrictions and AUP might include. NDA (Non-Disclosure Agreement) 1. Explain that an NDA is often used to define what confidential and private means to the organization. 2. Define and describe the term confidential. Password Policy 1. Mention that choosing a secure password is one of the easiest and least expensive ways to guard against unauthorized access. 2. Explain that guidelines for selecting passwords should be part of an organization’s security policy. 3. Review the tips for making and keeping passwords secure that are found on pages 538-539 of the text. Privileged User Agreement 1. Explain that a privileged user agreement addresses the specific concerns related to privileged access given to administrators and certain support staff. 2. Point out that a privileged user agreement outlines: a. Guidelines b. Rules c. Restrictions d. Consequences of violations 3. Discuss the use of a PAM (privileged access management) tool. Anti-Malware Policy 1. Introduce the concept of anti-malware policies. Explain why it is important that all network users understand how to prevent the spread of malware. 2. Review suggestions for anti-malware policy guidelines. 3. Point out to students that these policies are intended to protect the network from damage and downtime. Quick Quiz 2 1. Which of the following access control methods does not require direct contact with a proximity reader in order to be detected? a. smart card b. biometric scanner c. proximity card d. key fob Answer: C 2. Which of the following detection methods can detect physical penetration, temperature extremes, input voltage variations, or certain kinds of radiation? a. tamper detection sensor b. motion detection sensor c. video surveillance d. asset tracking Answer: B 3. What is the first phase of properly managing and applying security patches? a. implementation b. assessment c. risk mitigation d. discovery Answer: D 4. What term best describes the process of transforming data through an algorithm that generally reduces the amount of space needed for data? a. hardening b. hashing c. disclosing d. mitigating Answer: B 5. True or False: Malware often leaves evidence of itself on a device. Answer: True Class Discussion Topics 1. As a class, discuss the implications of security breaches on technology adoption. Are people hesitant to use the Internet or wireless technology for purchases due to security concerns? Are people hesitant to use technology because of privacy concerns? Are these concerns warranted and are they influenced by age, race, or gender? 2. As a class, discuss what the consequences should be for not adhering to security policy guidelines. Where or how should these consequences be communicated to employees? Additional Projects 1. Have students research the currently published security policy or policies for the school and compare those with another school or public organization. 2. Business Strategies International (BSI), established in 1989, is a leader in providing innovative and integrated business services for small to medium businesses through to large corporate enterprises. Have students research two of this company’s leading biometrics products: BioLock and BioScan. Ask them to compare these products with other biorecognition access products on the market today. Additional Resources 1. Audit Certification http://www.isaca.org/ 2. A Preparation Guide to Information Security Policy http://www.sans.org/reading_room/whitepapers/policyissues/preparation-guide-information-security-policies_503 3. What are Biometric Locks? https://www.houselogic.com/finances-taxes/home-insurance/what-are-biometric-locks/ 4. What is Hashing? https://www.techopedia.com/definition/14316/hashing 5. Know the Different Types of Malware http://www.dummies.com/how-to/content/know-the-different-types-of-malware.html Key Terms For definitions of key terms, see the Glossary near the end of the book.  amplified DRDoS attack  ARP poisoning  asset tracking tag  AUP (acceptable use policy)  back door  badge  biometrics  BYOD (bring your own device)  CCTV (closed-circuit TV)  cipher lock  data breach  DDoS (distributed DoS) attack  deauth (deauthentication) attack  device hardening  DHCP snooping  dictionary attack  DLP (data loss prevention)  DNS poisoning  DoS (denial-of-service) attack  DRDoS (distributed reflection DoS) attack  exploit  FTP bounce  hacker  hashing  honeynet  honeypot  insider threat  key fob  logic bomb  malware  MDM (mobile device management)  MitM (man-in-the-middle) attack  motion detection  NDA (non-disclosure agreement)  PDoS (permanent DoS) attack  penetration testing  phishing  port scanner  posture assessment  principle of least privilege  privileged user account  PUA (privileged user agreement)  ransomware  rogue DHCP server  security audit  security policy  SHA (Secure Hash Algorithm)  smart card  social engineering  tamper detection  virus  vulnerability  vulnerability scanning  zero-day exploit Chapter 10 Security in Network Design At a Glance Instructor’s Manual Table of Contents • Overview • Objectives • Teaching Tips • Quick Quizzes • Class Discussion Topics • Additional Projects • Additional Resources • Key Terms Lecture Notes Overview In this chapter, we dig in behind-the-scenes to see what security precautions IT professionals need to implement on a network to help keep it secure. We’ll begin with a discussion of network security devices, which is a category that includes far more than just firewalls. We’ll continue our discussion of device hardening by examining security precautions needed on network switches. Then we’ll explore the complementary processes of network access control and authentication, both on wired and wireless networks.. Chapter Objectives After reading this chapter and completing the exercises, the student will be able to: • Describe the functions and features of various network security devices • Implement security precautions on a switch • Track the processes of authentication, authorization, and auditing on a network • Explain the available options in network access control methods • Configure various security measures on a wireless network Teaching Tips Network Security Devices 1. Explain that Proxy servers and ACLs on network devices are examples of non-security devices with security features. Point out that firewalls and IDS/IPS systems are specialized security devices. Proxy Servers 1. Explain that a proxy server acts as an intermediary between the external and internal networks as it screens all incoming and outgoing traffic. 2. State the important function of a proxy server - preventing the outside world from discovering the addresses of the internal network. a. Explain why this is important. 3. Use Figure 10-1 to illustrate how a proxy server might fit into a WAN design. 4. Explain that a reverse proxy provides services to Internet clients from servers on its own network. ACLs (Access Control Lists) on Network Devices 1. Point out that before a malicious intruder on another network can gain access to files on a network server, he or she must traverse a switch or router. 2. Describe a router’s main function, which is to examine packets and determine where to direct them based on their Network layer addressing information. 3. Define and describe a router ACL (access control list). 4. Discuss some of the variables an ACL uses to instruct a router to permit or deny traffic. 5. Describe how a router processes packet information. Use Figure 10-2 in your discussion. 6. Note that an access list may contain many different statements. 7. Point out the more statements or tests the router must scan, the more time it takes the router to act, slowing down the router’s overall performance. Firewalls 1. Define and describe a firewall. a. Note that a firewall typically involves a combination of hardware and software. 2. Describe where a firewall typically resides in a network. Use Figure 10-3 to illustrate the placement of a firewall between a private network and the Internet. 3. Use Figure 10-4 to illustrate a firewall designed for use in a business with many users. 4. Mention that many forms of firewalls exist, such as network-based and host-based firewalls. 5. Define and explain a packet-filtering firewall. a. Emphasize how packet filtering firewalls block traffic in and out of a network. b. Use Figure 10-5 in your discussion. 6. Mention that firewalls ship with a default configuration designed to block the most common types of security threats. Note that many network administrators choose to modify default firewall settings. 7. Discuss common criteria a packet-filtering firewall might use to accept or deny traffic. 8. Describe port blocking and discuss its importance in preventing security breaches. 9. Describe the many factors to consider when making a decision regarding a firewall that performs functions that are more complex. a. Define and describe content filtering firewalls. b. Define and describe characteristics of stateless and stateful firewalls. 10. Define Unified Threat Management (UTM) as a security strategy that combines multiple layers of security appliances and technologies into a single safety net. 11. Explain that a new technology, known as Next Generation Firewalls (NGFW), have built-in Application Control features and are application aware. Discuss the following innovative features: • application aware • user aware • context aware 12. Point out that the most common cause of firewall failure is firewall misconfiguration. Mention that you might need to create exceptions to rules and configuring an enterprise-level firewall could take weeks to achieve the best results. Teaching Tip Perform an in-class demonstration by navigating to the Cisco IOS Firewall Introduction page at http://www.cisco.com/en/US/products/sw/secursw/ps1018/index.html to demonstrate and example Cisco firewall material available. IDS (Intrusion Detection System) 1. Define and describe an IDS (intrusion detection system). 2. Compare an IDS to a router’s ACL or firewall. 3. Use the right side of Figure 10-10 to demonstrate how an IDS detects traffic patterns. 4. Compare HIDS (host-based intrusion detection) with NDIS (network-based intrusion detection). 5. Explain that one technique an NDIS might use to monitor traffic carried by a switch is port mirroring. Discuss this technique with students. 6. Explain that one drawback to using an IDS is the number of false positives it can log. IPS (Intrusion Prevention System) 1. Define and describe an IPS (intrusion-prevention system). 2. Emphasize that an IPS can react when alerted to suspicious activity. 3. Use Figure 10-10 to illustrate the placement of an IDS/IPS device on a private network that is connected to the Internet. Point out that the left side of the figure demonstrates the behavior of an IPS. 4. Explain that just as with IDS, an NIPS can protect entire networks while an HIPS protects a specific host. 5. Define and describe a DMZ (demilitarized zone). Use Figure 10-11 to discuss the placement of IPS devices and software on a network. Teaching Tip Perform an in-class demonstration by navigating to the open-source IDS software sites for TripWire at http://www.tripwire.com and Snort at http://www.snort.org to demonstrate the availability of these products. SIEM (Security Information and Event Management) 1. Explain that SIEM systems can be configured to evaluate data generated from IDS, IPS, firewall, and proxy server logs. 2. Mention that they capability required of the SIEM is determined by the amount of storage space needed for the amount of data generated and by the number of events to be processed per second. 3. Explain that the network administrator can fine-tune a SIEM’s configuration rules for the specific needs of a network by defining which events should trigger which responses. Switch Management 1. Point out that this section covers how paths between switches are managed and also examines switch security concerns. Switch Path Management 1. Use Figure 10-12 to demonstrate a traffic loop. 2. Introduce and define STP (Spanning Tree Protocol). 3. Review the three steps STP performs. Be sure to explain that STP selects a root bridge, which will provide the basis for all subsequent path calculations. 4. Use Figure 10-13 to illustrate STP-selected paths on a switched network. 5. Explain that STP information is transmitted between switches via BPDUs (Bridge Protocol Data Units). Discuss the following security precautions that must be configured on STP-enabled devices: a. BPDU guard b. BPDU filter c. root guard 6. Review the history of STP. 7. Discuss the newer protocols, such as RSTP, MSTP, TRILL, and SPB. Point out how SPB, which is a descendent of STP and meant to replace it, differs from STP. 8. Emphasize that when installing switches on your network, you do not need to enable or configure STP (or the more current version that came with your switch). Switch Port Security 1. Explain that unused switch, router, or server ports can be accessed and exploited by hackers. Point out that ports can be disabled by using the shutdown command on Cisco, Huawei, and Arista routers and switches. 2. Discuss the use of the switchport port-security command, which is essentially a MAC filtering function that protects against MAC flooding. 3. Mention that many Huawei, Arista, Juniper, and Cisco devices offer a type of flood guard known as storm control that protects against flooding attacks from broadcast and multicast traffic. The feature is managed using the storm-control command. Quick Quiz 1 1. What command is used to assign a statement to an already-installed ACL? Answer: access-list 2. True or False: Packet-filtering firewalls cannot distinguish between a user who is trying to breach the firewall and a user who is authorized to do so. Answer: True 3. True or False: An IDS can react when alerted to suspicious activity. Answer: False 4. Which of the following is used to disable STP on specific ports? a. BPDU guard b. BPDU filter c. BPDU protocol d. root guard Answer: B 5. Which of the following switch security options monitors network traffic at one-second intervals to determine if the traffic levels are within acceptable thresholds? a. STP b. BPDU c. storm control d. switchport security Answer: C AAA (Authentication, Authorization, and Accounting) 1. Explain that controlling users’ access to a network and its resources consists of three major elements: a. authentication b. authorization c. accounting Authentication 1. Point out that a user can be authenticated to the local device or to the network. 2. Mention that local authentication has both advantages and disadvantages: a. low security b. convenience varies c. reliable backup access 3. Explain that with local authentication, every computer on the network is responsible for securing its own resources. 4. Demonstrate how to switch from local authentication to network authentication on a Windows computer. 5. Review the following additional authentication restrictions that strengthen network security: a. time of day b. total time logged on c. source address d. unsuccessful logon attempts e. geographic location Authorization 1. Discuss the most popular authorization method, which is RBAC (role-based access control). 2. Introduce the concept of role separation, which allows each user to be a member of only one single group in order to perform any tasks at all. 3. Use Figure 10-17 to demonstrate how Windows allows you to create new groups and add users to these groups. Accounting 1. Demonstrate using Windows Event Viewer to view Windows logs, which can be used to identify interesting or suspicious events. NAC (Network Access Control) Solutions 1. Define network access control (NAC) as a solution that employs a set of rules, called network policies, which determine the level and type of access granted to a device when it joins a network. 2. Explain that software, called an agent, might need to be installed on a device in order for the device to be authenticated. Describe the two types of agents commonly used: a. nonpersistent agent b. persistent agent 3. Point out that Windows Active Directory allows for agentless authentication. 4. Describe how a guest device can be granted limited access to a NAC-protected network. Be sure to point out that devices that do not meet compliance requirements can be placed in a quarantine network. Access Control Technologies 1. Explain that several types of authentication services and protocols exist. These technologies vary according to which encryption schemes they rely on and the steps they take to verify credentials. Directory Services 1. Point out to students that in order for clients to authenticate to network resources, some sort of directory server on the network must maintain a database of account information. 2. Explain that the two most common directory services are Windows AD (Active Directory) and Linux-focused OpenLDAP. 3. Discuss LDAP (Lightweight Directory Access Protocol) as a standard protocol for accessing an existing directory. Point out that AD is configured to use the Kerberos protocol, but can use LDAP instead or in addition to Kerberos. Kerberos 1. Define Kerberos as a cross-platform authentication protocol that uses key encryption to verify the identity of clients and to securely exchange information after a client logs on to a system. 2. Note that Kerberos is an example of a private key encryption service. 3. Introduce students to some of the terms used when discussing Kerberos: a. principal b. KDC (Key Distribution Center) c. ticket 4. Discuss the two services that a Kerberos server runs: a. AS (Authentication service) b. TGS (ticket-granting service) 5. Explain that the purpose of Kerberos is to connect a valid user with a network service the user wants access to. Point out that to accomplish this, both the user and the service must register their own keys with the AS ahead of time. 6. Use Figure 10=21 to demonstrate how TGS works. Describe the process Kerberos requires for client/server communication as outlined in the steps on pages 588-589 of the text. Teaching Tip Point out that Kerberos was named after the three-headed dog in Greek mythology who guarded the gates of Hades and was designed at MIT (Massachusetts Institute of Technology). MIT still provides free copies of the Kerberos code. In addition, many software vendors have developed their own versions of Kerberos. SSO (Single Sign-On) 1. Explain that SSO is a form of authentication in which a client signs on one time to access multiple systems or resources. 2. Point out that the primary advantage of SSO is convenience. Further discuss that the biggest disadvantage of SSO is that once the obstacle of authentication is cleared, the user has access to numerous resources. 3. Explain that an authentication process that requires two or more pieces of information is known as multifactor authentication (MFA). In a 2FA scenario, a user must provide something and know something. 4. Discuss the categories of authentication factors: • something you know • something you have • something you are • somewhere you are • something you do 5. Explain that MFA requires at least one authentication method from at least two different categories. Use Figure 10-27 in your discussion. RADIUS (Remote Authentication Dial-In User Service) 1. Explain that RADIUS is the most popular AAA service. 2. Define and explain the use of RADIUS (Remote Authentication Dial-In User Service). 3. Explain that RADIUS can operate as a software application on a remote access server or on a computer dedicated to this type of authentication, called a RADIUS server. 4. Explain why RADIUS is more secure than a simple remote access solution. 5. Use Figure 10-28 to illustrate a RADIUS server providing centralized authentication. TACACS+ (Terminal Access Controller Access Control System Plus) 1. Mention that TACACS+ (Terminal Access Controller Access Control System Plus) is a similar, but modified earlier version of centralized authentication. 2. Discuss the differences of TACACS+ versus RADIUS: a. Relies on TCP, not UDP b. Was developed by Cisco Systems for proprietary use c. Is typically installed on a router or switch, rather than a server d. Encrypts all information transmitted for AAA (RADIUS only encrypts the password) Wireless Network Security 1. Remind students that a significant disadvantage of WEP was that is used a shared encryption key for all clients and the key might never change. 2. Discuss the two WEP forms of authentication that were not secure: a. OSA (Open System Authentication) b. SKA (Shared Key Authentication) WPA (Wi-Fi Protected Access) 1. Introduce students to TKIP (Temporal Key Integrity Protocol), which accomplished three significant improvements over WEP: a. message integrity b. key distribution c. encryption 2. Explain that the encryption protocol in WPA was replaced by a stronger encryption protocol for the updated version, called WPA2. WPA2 (Wi-Fi Protected Access, version 2) 1. Explain that CCMP improves wireless security for newer devices that can use WPA2. Discuss how that is done. 2. Discuss the following provided by CCMP: a. message integrity b. encryption Personal and Enterprise 1. Explain that the Personal versions of WPA and WPA2 are sometimes referred to as WPA-PSK or WPA2-PSK. Point out that PSK is short for Pre-Shared Key. 2. Discuss the authentication mechanism known as EAP (Extensible Authentication Protocol). Explain how it is used with a RADIUS server. 3. Use Figure 10-29 to discuss the three main EAP entities: a. supplicant b. authenticator c. authentication server 4. Use Figure 10-30 to show the steps involved in EAP communications. 5. Explain that EAP was adapted to work on both wired and wireless LANs in the 802.1X standard and is known as EAPoL (EAP over LAN). 6. Point out that students need to know some information about EAP-TLS, PEAP, and EAP-FAST for the Network+ exam. 7. Explain that EAP-TLS uses TLS encryption to protect communications. Discuss some other characteristics of EAP-TLS. Use Figure 10-31 in your discussion. 8. Point out that PEAP (Protected EAP) creates an encrypted TLS tunnel between the supplicant and the server before proceeding with the usual EAP process. Use Figure 10-32 in your discussion. 9. Discuss the EAP-FAST (EAP-Flexible Authentication via Secure Tunneling) protocol. Point out that it was developed by Cisco and works similarly to PEAP (only faster). Quick Quiz 2 1. Which of the following processes determines what a user can and cannot do with network resources? a. authentication b. accounting c. acceptability d. authorization Answer: D 2. Which of the following methods of access control is considered to be the least secure method? a. DAC (discretionary access control) b. RBAC (role-based access control) c. NAC (network access control) d. MAC (mandatory access control) Answer: A 3. A network access control (NAC) solution employs a set of rules, called _____, which determine the level and type of access granted to a device when it joins a network. Answer: network policies 4. A Kerberos client or user is known as which of the following? a. ticket b. supplicant c. principal d. token Answer: C 5. Which of the following protocols has the characteristic of being certificate-based? a. WEP b. EAP-TLS c. PEAP d. EAP-FAST Answer: B Class Discussion Topics 1. Discuss the differences between the use of ACLs versus the use of firewalls for network security. In what situations would the use of ACLs be an advantage over using a hardware firewall? 2. As a class, discuss the differences between an IDS and an IPS. Discuss examples of organizations who might want to implement an IPS over an IDS. Additional Projects 1. Have students research the latest developments in Wireless network security. Students should write a report of their findings, including any future wireless network security technologies that are being developed as of this writing. 2. Give students a scenario of an enterprise network design that does not include any network access control technologies. Students should then propose what network access control methods and technologies they would recommend implementing. They should be able to briefly explain their recommendations. Additional Resources 1. Firewall Solutions for Small Businesses https://www.cisco.com/c/en/us/solutions/small-business/resource-center/secure-my-business/firewall-solutions.html 2. Lock Down Cisco Switch Port Security https://www.techrepublic.com/blog/it-security/lock-down-cisco-switch-port-security-88196/ 3. Network Access Control http://searchnetworking.techtarget.com/definition/network-access-control 4. Intrusion Detection and Prevention http://www.webopedia.com/DidYouKnow/Computer_Science/intrusion_detection_prevention.asp 5. 802.11 Wireless Network Security Standards & Mechanisms https://www.sans.org/reading-room/whitepapers/wireless/overview-80211-wireless-network-security-standards-mechanisms-1530 Key Terms For definitions of key terms, see the Glossary near the end of the book.  2FA (two-factor authentication)  802.1X  AAA (authentication, authorization, and accounting)  access control  accounting  ACL (access control list)  AES (Advanced Encryption Standard)  agent  agentless authentication  alert  authentication server  authenticator  authorization  BPDU (Bridge Protocol Data Unit)  BPDU filter  BPDU guard  CCMP (Counter Mode with CBC [Cipher Block Chaining] MAC [Message Authentication Code] Protocol)  CHAP (Challenge Handshake Authentication Protocol)  content-filtering firewall  DAC (discretionary access control)  domain local group  EAP (Extensible Authentication Protocol)  EAP-FAST (EAP-Flexible Authentication via Secure Tunneling)  EAP-TLS  EAPoL (EAP over LAN)  FIM (file integrity monitoring)  geofencing  Group Policy  HIDS (host-based intrusion detection system)  HIPS (host-based intrusion prevention system)  host-based firewall  IDS (intrusion detection system)  implicit deny  IPS (intrusion prevention system)  iptables  KDC (Key Distribution Center)  Kerberos  Layer 7 firewall  MAC address table  MAC (mandatory access control)  MFA (multifactor authentication)  MS-CHAP (Microsoft Challenge Handshake Authentication Protocol)  MS-CHAPv2 (Microsoft Challenge Handshake Authentication Protocol, version 2)  mutual authentication  NAC (network access control)  network-based firewall  network policy  NGFW (Next Generation Firewall)  NIDS (network-based intrusion detection system)  NIPS (network-based intrusion prevention system)  nonpersistent agent  notification  OSA (Open System Authentication)  PAP (Password Authentication Protocol)  password policy  PEAP (Protected EAP)  persistent agent  port mirroring  principal  proxy server  PSK (Pre-Shared Key)  quarantine network  RADIUS (Remote Authentication Dial-In User Service)  RBAC (role-based access control)  RC4 (Rivest Cipher 4)  role separation  root bridge  root guard  RSTP (Rapid Spanning Tree Protocol)  security token  SIEM (Security Information and Event Management)  signature  signature management SKA (Shared Key Authentication)  SPB (Shortest Path Bridging)  SSO (single sign-on)  stateful firewall  stateless firewall  STP (Spanning Tree Protocol)  supplicant  TACACS1 (Terminal Access Controller Access Control System Plus)  ticket  TKIP (Temporal Key Integrity Protocol)  UTM (Unified Threat Management) Instructor Manual for Network+ Guide to Networks Jill West, Tamara Dean, Jean Andrews 9781337569330, 9781133608196